Cybersecurity scientists have unearthed a fourth new malware strain—designed to distribute the malware onto other computer systems in victims’ networks—which was deployed as aspect of the SolarWinds supply chain attack disclosed late very last 12 months.
Dubbed “Raindrop” by Broadcom-owned Symantec, the malware joins the likes of other destructive implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were being stealthily delivered to enterprise networks.
The newest locating comes amid a ongoing probe into the breach, suspected to be of Russian origin, that has claimed a amount of U.S. governing administration businesses and personal sector corporations.
“The discovery of Raindrop is a sizeable stage in our investigation of the SolarWinds attacks as it delivers additional insights into write-up-compromise activity at corporations of fascination to the attackers,” Symantec researchers stated.
The cybersecurity business claimed it found only four samples of Raindrop to day that were being used to supply the Cobalt Strike Beacon — an in-memory backdoor able of command execution, keylogging, file transfer, privilege escalation, port scanning, and lateral movement.
Symantec, very last thirty day period, had uncovered extra than 2,000 units belonging to 100 shoppers that been given the trojanized SolarWinds Orion updates, with pick targets infected with a next-stage payload named Teardrop which is also used to put in the Cobalt Strike Beacon.
“The way Teardrop is created, it could have dropped something in this circumstance, it dropped Beacon, a payload integrated with Cobalt Strike,” Verify Point researchers reported, noting that it was perhaps carried out to “make attribution more difficult.”
“Whilst Teardrop was utilized on computers that experienced been infected by the initial Sunburst Trojan, Raindrop appeared in other places on the community, staying applied by the attackers to go laterally and deploy payloads on other personal computers.”
It is worth noting that the attackers utilized the Sunspot malware solely from SolarWinds in September 2019 to compromise its build setting and inject the Sunburst Trojan into its Orion community checking system. The tainted computer software was then shipped to 18,000 of the company’s consumers.
Microsoft’s assessment of the Solorigate modus operandi last thirty day period discovered that the operators meticulously selected their targets, opting to escalate the assaults only in a handful of situations by deploying Teardrop centered on intel amassed all through an preliminary reconnaissance of the concentrate on natural environment for high-price accounts and assets.
Now Raindrop (“bproxy.dll”) joins the combine. Though each Teardrop and Raindrop act as a dropper for the Cobalt Strike Beacon, they also vary in a amount of means.
For a get started, Teardrop is delivered immediately by the first Sunburst backdoor, whilst Raindrop would seem to have been deployed with the aim of spreading throughout the victims’ network. What is extra, the malware reveals up on networks the place at minimum a person pc has now been compromised by Sunburst, with no indicator that Sunburst triggered its installation.
The two malware strains also use diverse packers and Cobalt Strike configurations.
Symantec did not establish the companies impacted by Raindrop but stated the samples were uncovered in a victim method that was jogging laptop access and administration application and on a device that was identified to execute PowerShell commands to infect further desktops in the business with the very same malware.